Last week the California Privacy Protection Agency met and covered quite a bit of ground on a variety of compliance matters. With the next scheduled meeting on August 20 and the California legislature closing for the year on August 31, here is a cluster of updates on the state of data privacy and AI governance out of Golden State. 

CCPA Enforcement in 2024

Of note, this was also the first CPPA meeting since the state’s public disclosure requirements for data subject request handling entered into effect on July 1. While we didn’t get a full report on those statistics, the Board did come prepared with adjacent data.

From July 2023 to June 2024, the CPPA received and reviewed 2176 consumer complaints. Of those requests, 16% came from people outside of California, with the most commonly cited complaints covering the right to delete (50%), improper collection, use, storage, and/or sharing of personal info (47%) and the right to opt-out (41%). 

Telling things noted during the meeting included the fact that every complaint is reviewed by a CPPA staff member, and that the agency has over 10 cases in formal investigation at the moment, several of which came out of consumer complaints. The board gave an average timeline for enforcement action as roughly 18 months (so it’s unlikely we’ll see a fourth CCPA violation publicly dinged this year). 

The board discussed its enforcement priorities, present and future, noting the big three as:

• Privacy notices and policies
• Right to delete failures
• Implementation of consumer requests

For privacy policies, CPPA is still concerned about the use and prevalence of dark patterns (deceptive language designed to coerce users into consumer-unfriendly choices).

The right to delete coming up as a priority makes sense given its relevance to consumers and the sheer number of complaints the agency received about it.

As for the third priority, “implementation,” the board noted they wanted to explore more thoroughly how companies are handling and processing consumer requests (DSRs). 

Additionally, CPPA remarked on a few enforcement advisories, including:

• Businesses that fail to honor consumer opt out requests without user verification (CCPA and most progressive state laws do not allow for verification)
• Businesses that sell or share personal data without notifying the consumer
• Noncompliant behavior that particularly impacts at risk groups (basically doubling down on anti-discrimination principles, especially after Maryland and Minnesota expanded this consumer protection in their own state privacy laws)

California in the World of Data Privacy 

California and the CPPA had recently announced a partnership with France’s data protection authority, CNIL, and the meeting explored other cooperation agreements in place around the globe. The board noted they should be communicating with the European Commission and exploring a potential adequacy determination under the GDPR, something that has eluded the country at-large. 

CPPA clearly sees benefit to reaching out and forming relationships with other data protection enforcement divisions. This would be a welcome change to the overall industry, as even the various data protection authorities within the EU seem disconnected at times. 

California can learn much from more established and more well-staffed DPAs like CNIL, but apparently CPPA is making quite the impression already on these DPAs given their zeal for action despite staffing shortfalls (of note, a large portion of the meeting was dedicated to hirings over the past year and positions that remain to be filled). 

If California is the only state to create a data privacy agency, it is clearly going to try and get the most out of it on the world stage to try and keep the U.S. involved in the matter. 

California ADMT Updates

We won’t bury the lede here: there was no vote to advance the proposed rulemaking package at this meeting, with the main reason being that more economic impact assessment must be done first. This delays the proceedings until at least September, with the earliest the changes could come into effect being Spring 2025.

This rulemaking package is further regulations to the CCPA/CPRA, with the main areas of expansion being around automated decisionmaking technology (ADMT) and corresponding risk assessments+audits. If you’re curious to explore the changes, IAPP published a redline here, but they remain largely the same as they’ve been throughout 2024.

Concerns over language in AB 2930, the proposed regulation covering ADMT and risk assessments, made it clear the bill is not a shoe-in to pass. There is some apprehension over the broadness of how AI is defined, as well as the need to conduct risk assessments for ADMT rather than what specifically happens to consumer data. By promoting the assessment and how AI makes decisions rather than the result of those decisions, the bill could be handicapping itself as technology continues to evolve.

This line of argument is also in line with Colorado’s AI Act, which does necessitate risk assessments, but is heavily focused on use cases of risk. 

The three main requirements for businesses using an applicable ADMT are:

• Pre-Use Notice. Businesses must provide consumers with clear disclosures about how they are using ADMT.
• Opt-Out. Businesses must allow consumers to opt-out of having their personal information processed through ADMT. 
•  Access. Businesses must provide consumers with the ability to request details about the business’s use of the ADMT in processing personal information.

Bills involving aspects of data privacy and/or AI governance currently under consideration in the California state legislature abound, with 30 at various stages of consideration (this is a handy new tracker).

The July CPPA meeting touched on the following:

• Assembly Bill (AB) 3048
• AB 3286 (recently signed into law by Governor Newsom)
• AB 1949
• AB 2877
• Senate Bill (SB) 892
• SB 893
• SB 896
• SB 1223
• AB 1008
• AB 2930

AB 2930 is arguably the most important bill there (noted above), as it implements a regulatory framework for the use of automated decisionmaking tools to prevent algorithmic discrimination and sets the requirement to conduct an impact assessment of the ADMT.

AB 1949 and AB 2877 stand out as a one-two punch on children’s privacy, as the former amends CCPA to not process data from minors under 18 (outside of short-term use), while the latter would bar the use of data from children under 16 in the training of AI systems.

AB 3048 would make it so all internet browsers must honor universal opt-out signals, which would be a sweeping reform given some state laws do not require UOOMs be acknowledged at all. 

The other bills cover things such as research into AI, instituting guidelines for how the state uses AI, and requirements for healthcare entities and insurers when using AI in consumer-facing processes. 

In short, there is a lot on the board in California, but with under a month of time in session left (the state congress is currently in recess), it remains to be seen how impactful 2024 will be for the state’s AI governance. Colorado has already jumped California, but with the scope and seriousness California brings to privacy, everyone will need to continue to keep their eye on the Golden State.